You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Niven <Jo...@marcat.com> on 2002/06/12 16:06:39 UTC
RE: Black magic Authentication Digest and JDBC Realm on Tomcat 4
.0.3
> -----Original Message-----
> From: PATTUS Jean-Philippe [mailto:jppattus@sogitec.fr]
> Sent: 12 June 2002 14:49
> To: tomcat-user@jakarta.apache.org
> Subject: TR: Black magic Authentication Digest and JDBC Realm
> on Tomcat 4 .0.3
>
>
> Nobody for my little pb, should i try black magic?
>
> > -----Message d'origine-----
> > De: PATTUS Jean-Philippe [SMTP:jppattus@sogitec.fr]
> > Date: mercredi 12 juin 2002 10:46
> > À: tomcat-user@jakarta.apache.org
> > Objet: Authentication Digest and JDBC Realm on Tomcat 4.0.3
> >
> > Hello,
> > I'm working on Tomcat 4.0.3.
> > i'm trying to put an authentication on my web app,
> > if the auth-method is BASIC and
> > the Realm is
> > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
> > driverName="oracle.jdbc.driver.OracleDriver"
> > connectionName="Name"
> > connectionPassword="Password"
> > connectionURL="jdbc:oracle:thin:@host:1521:toto"
> > userTable="userTable" userNameCol="userNameCol"
> > userCredCol="userCredCol"
> > userRoleTable="userRole" roleNameCol="roleNameCol" />
> > it works fine.
> > But, if i replace BASIC by DIGEST, my authentication is KO.
> I've seen in
> > the
> > code that
> > JDBCRealm::getPassword() always return null!!!
> >
Just an idea (I don't know) but this could be by design - if getPassword()
returns the hased-password, it's a potential security risk (an attacker
would "just" need to hash a dictionary until they came across a matching
hash).
Not sure how JDBCRealm deals with this, though...sorry.
> > How can i configure my Tomcat in order to have JDBC Realm
> and Digest
> > authentication???
> >
> > Thanks
> >
Well, don't know how useful I've been :(
Cheers
John
--
John Niven
Please reply through mailing list
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>